3.1.7 OSPFv3 虚链路配置
IPv6 OSPFv3路由协议(续五)_OSPFv3
具体配置如下:
路由器R1配置
ipv6 unicast-routing
!
interface Loopback0
no ip address
ipv6 address 2001:10::1/64
ipv6 rip ripng enable
!
interface Ethernet1/0
no ip address
duplex full
ipv6 address 2001:1::1/64
ipv6 enable
ipv6 ospf 10 area 0
!
interface Ethernet1/1
no ip address
duplex full
ipv6 address 2001:5::1/64
ipv6 enable
ipv6 rip ripng enable
!
ipv6 router ospf 10
router-id 1.1.1.1
log-adjacency-changes
redistribute connected metric 50
redistribute rip ripng metric 50
!
ipv6 router rip ripng
路由器R2配置
ipv6 unicast-routing
!
interface Ethernet1/0
no ip address
duplex full
ipv6 address 2001:1::2/64
ipv6 enable
ipv6 ospf 10 area 0
!
interface Ethernet1/1
no ip address
duplex full
ipv6 address 2001:2::1/64
ipv6 enable
ipv6 ospf 10 area 10
!
ipv6 router ospf 10
router-id 2.2.2.2
log-adjacency-changes
area 10 virtual-link 3.3.3.3
!
路由器R3配置
ipv6 unicast-routing
!
interface Ethernet1/0
no ip address
duplex full
ipv6 address 2001:2::2/64
ipv6 enable
ipv6 ospf 10 area 10
!
interface Ethernet1/1
no ip address
duplex full
ipv6 address 2001:3::1/64
ipv6 enable
ipv6 ospf 10 area 20
!
ipv6 router ospf 10
router-id 3.3.3.3
log-adjacency-changes
area 10 virtual-link 2.2.2.2
路由器R4配置
ipv6 unicast-routing
!
interface Loopback0
no ip address
ipv6 address 2001:11::1/64
ipv6 ospf 10 area 20
!
interface Ethernet1/0
no ip address
duplex full
ipv6 address 2001:3::2/64
ipv6 enable
ipv6 ospf 10 area 20
!
interface Ethernet1/1
no ip address
duplex full
ipv6 address 2001:4::1/64
ipv6 enable
!
ipv6 router ospf 10
router-id 4.4.4.4
log-adjacency-changes
可以使用show命令来查看其路由信息。
R3#sh ipv6 ospf virtual-links
Virtual Link OSPFv3_VL0 to router 2.2.2.2 is up
Interface ID 11, IPv6 address 2001:1::2
Run as demand circuit
DoNotAge LSA allowed.
Transit area 10, via interface Ethernet1/0, Cost of using 10
Transmit Delay is 1 sec, State POINT_TO_POINT,
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
Adjacency State FULL (Hello suppressed)
Index 1/1/3, retransmission queue length 0, number of retransmission 0
First 0x0(0)/0x0(0)/0x0(0) Next 0x0(0)/0x0(0)/0x0(0)
Last retransmission scan length is 0, maximum is 0
Last retransmission scan time is 0 msec, maximum is 0 msec
R2#sh ipv6 ospf virtual-links
Virtual Link OSPFv3_VL0 to router 3.3.3.3 is up
Interface ID 11, IPv6 address 2001:3::1
Run as demand circuit
DoNotAge LSA allowed.
Transit area 10, via interface Ethernet1/1, Cost of using 10
Transmit Delay is 1 sec, State POINT_TO_POINT,
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
Adjacency State FULL (Hello suppressed)
Index 1/2/3, retransmission queue length 0, number of retransmission 0
First 0x0(0)/0x0(0)/0x0(0) Next 0x0(0)/0x0(0)/0x0(0)
Last retransmission scan length is 0, maximum is 0
Last retransmission scan time is 0 msec, maximum is 0 msec
R4#sh ipv6 route
IPv6 Routing Table - 14 entries
Codes: C - Connected, L - Local, S - Static, R - RIP, B - BGP
U - Per-user Static route
I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary
O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
OI 2001:1::/64 [110/30]
via FE80::C800:73FF:FE68:1D, Ethernet1/0
OI 2001:1::2/128 [110/20]
via FE80::C800:73FF:FE68:1D, Ethernet1/0
OI 2001:2::/64 [110/20]
via FE80::C800:73FF:FE68:1D, Ethernet1/0
C 2001:3::/64 [0/0]
via ::, Ethernet1/0
OI 2001:3::1/128 [110/10]
via FE80::C800:73FF:FE68:1D, Ethernet1/0
L 2001:3::2/128 [0/0]
via ::, Ethernet1/0
C 2001:4::/64 [0/0]
via ::, Ethernet1/1
L 2001:4::1/128 [0/0]
via ::, Ethernet1/1
OE2 2001:5::/64 [110/50]
via FE80::C800:73FF:FE68:1D, Ethernet1/0
OE2 2001:10::/64 [110/50]
via FE80::C800:73FF:FE68:1D, Ethernet1/0
C 2001:11::/64 [0/0]
via ::, Loopback0
L 2001:11::1/128 [0/0]
via ::, Loopback0
L FE80::/10 [0/0]
via ::, Null0
L FF00::/8 [0/0]
via ::, Null0
R2#sh ipv6 ospf neighbor
Neighbor ID Pri State Dead Time Interface ID Interface
3.3.3.3 1 FULL/ - - 11 OSPFv3_VL0
1.1.1.1 1 FULL/BDR 00:00:35 5 Ethernet1/0
3.3.3.3 1 FULL/DR 00:00:14 5 Ethernet1/1
3.1.8 OSPFv3 身份验证配置
本实验拓扑图,如下所示:
IPv6 OSPFv3路由协议(续五)_协议_02
具体配置如下所示:
路由器R1配置
ipv6 unicast-routing
!
interface Loopback0
no ip address
ipv6 address 2001:10::1/64
ipv6 rip ripng enable
!
interface Ethernet1/0
no ip address
duplex full
ipv6 address 2001:1::1/64
ipv6 enable
ipv6 ospf 10 area 0
!
interface Ethernet1/1
no ip address
duplex full
ipv6 address 2001:5::1/64
ipv6 enable
ipv6 rip ripng enable
!
ipv6 router ospf 10
router-id 1.1.1.1
log-adjacency-changes
redistribute connected metric 50
redistribute rip ripng metric 50
!
ipv6 router rip ripng
路由器R2配置
ipv6 unicast-routing
!
interface Ethernet1/0
no ip address
duplex full
ipv6 address 2001:1::2/64
ipv6 enable
ipv6 ospf 10 area 0
!
interface Ethernet1/1
no ip address
duplex full
ipv6 address 2001:2::1/64
ipv6 enable
ipv6 ospf 10 area 10
!
ipv6 router ospf 10
router-id 2.2.2.2
log-adjacency-changes
area 10 authentication ipsec spi 10111 md5 1234567890ABCDEF1234567890ABCDEF
area 10 virtual-link 3.3.3.3
!
路由器R3配置
ipv6 unicast-routing
!
interface Ethernet1/0
no ip address
duplex full
ipv6 address 2001:2::2/64
ipv6 enable
ipv6 ospf 10 area 10
!
interface Ethernet1/1
no ip address
duplex full
ipv6 address 2001:3::1/64
ipv6 enable
ipv6 ospf 10 area 20
!
ipv6 router ospf 10
router-id 3.3.3.3
log-adjacency-changes
area 10 authentication ipsec spi 10111 md5 1234567890ABCDEF1234567890ABCDEF
area 10 virtual-link 2.2.2.2
路由器R4配置
ipv6 unicast-routing
!
interface Loopback0
no ip address
ipv6 address 2001:11::1/64
ipv6 ospf 10 area 20
!
interface Ethernet1/0
no ip address
duplex full
ipv6 address 2001:3::2/64
ipv6 enable
ipv6 ospf 10 area 20
!
interface Ethernet1/1
no ip address
duplex full
ipv6 address 2001:4::1/64
ipv6 enable
!
ipv6 router ospf 10
router-id 4.4.4.4
log-adjacency-changes
可以使用show命令来查看其路由信息。
R2#sh ipv6 ospf
Routing Process "ospfv3 10" with ID 2.2.2.2
It is an area border router
SPF schedule delay 5 secs, Hold time between two SPFs 10 secs
Minimum LSA interval 5 secs. Minimum LSA arrival 1 secs
LSA group pacing timer 240 secs
Interface flood pacing timer 33 msecs
Retransmission pacing timer 66 msecs
Number of external LSA 4. Checksum Sum 0x0201A8
Number of areas in this router is 2. 2 normal 0 stub 0 nssa
Reference bandwidth unit is 100 mbps
Area BACKBONE(0)
Number of interfaces in this area is 2
SPF algorithm executed 21 times
Number of LSA 15. Checksum Sum 0x086F59
Number of DCbitless LSA 0
Number of indication LSA 0
Number of DoNotAge LSA 6
Flood list length 0
Area 10
Number of interfaces in this area is 1
MD5 Authentication, SPI 10111
SPF algorithm executed 15 times
Number of LSA 16. Checksum Sum 0x09D294
Number of DCbitless LSA 0
Number of indication LSA 0
Number of DoNotAge LSA 0
Flood list length 0
R2#sh ipv6 ospf interface ethernet 1/1
Ethernet1/1 is up, line protocol is up
Link Local Address FE80::C800:73FF:FE6C:1D, Interface ID 6
Area 10, Process ID 10, Instance ID 0, Router ID 2.2.2.2
Network Type BROADCAST, Cost: 10
MD5 Authentication (Area) SPI 10111, secure socket state UP (errors: 0)
Transmit Delay is 1 sec, State BDR, Priority 1
Designated Router (ID) 3.3.3.3, local address FE80::C800:73FF:FE68:1C
Backup Designated router (ID) 2.2.2.2, local address FE80::C800:73FF:FE6C:1D
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
Hello due in 00:00:05
Index 1/1/2, flood queue length 0
Next 0x0(0)/0x0(0)/0x0(0)
Last flood scan length is 2, maximum is 5
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 3.3.3.3 (Designated Router)
Suppress hello for 0 neighbor(s)
可以使用ethereal抓取其认证的报文,如下图所示:
根据下图所示,当路由器启用身份验证时,不论是Hello报文、DBD报文、LSR报文和LSU还是LSAck报文,都会在其OSPF报文的头之前加上一个认证的报头(AH),这只不过是对接收和发送OSPFv3报文进行一个身份验证,MD5加密的只是进行身份验证的口令,并不是对OSFPv3协议传输的报文的内容进行加密。
因为OSPFv3路由协议本身是不提供安全机制的,所以只能在OSPFv3报文的前边加上一个验证报头。
这只是对接收和发送OSPFv3各种报文的路由器进行合法身份的验证,如果想对报文进行加密或更好的提高其安全,可以使用IPSec协议。关于OSPFv3使用IPSec协议提高安全性,会在下篇博文中详细讲述。
IPv6 OSPFv3路由协议(续五)_OSPFv3_03
IPv6 OSPFv3路由协议(续五)_协议_04